Re: Possible bug with compression

Sun, 26 May 2013 07:04:57 -0700 

Hi,

Your configuration is not compatible with NTLM.
NTLM requires the connection remains available over the time or
authentication is broken.
When you enable http-server-close, haproxy will change the connection
for each HTTP request.
So disable it, you'll pass in the "tunnel" mode.

That said, I'm almost sure compression is not compatible with tunnel mode.

Baptiste


On Thu, May 23, 2013 at 10:44 AM, Sander Klein <[email protected]> wrote:
> Hi,
>
> I think I've found a possible bug with the combination SSL, compression and
> NTLM auth. But, I'm not sure if it's really a bug or if NTLM auth is crap
> (well it is...).
>
> When enabling compression the authorization fails sometimes. When I disable
> compression everything is fine. I don't know if it's just a silly thing to
> enable compression in this situation. Has anyone else tried this?
>
> I'm running haproxy-dev18-ss-20130512 and my config is like:
>
> defaults
>   log global
>
>   mode http
>
>   compression algo gzip
>
>   option http-server-close
>   option tcp-smart-accept
>   option tcp-smart-connect
>   option abortonclose
>
> frontend default-fe
>   bind 1.2.3.4:80
>   bind a:b:c:d:e:f:80
>   bind 1.2.3.4:443 ssl crt /etc/haproxy/ssl/some.pem ciphers
> RC4:HIGH:!aNULL:!MD5
>   bind a:b:c:d:e:f:443 ssl crt /etc/haproxy/ssl/some.pem ciphers
> RC4:HIGH:!aNULL:!MD5
>
>   maxconn 512
>
>   option httplog
>   option forwardfor
>   option splice-auto
>
>   # Add X-Forwarded-* headers
>   http-request set-header X-Forwarded-Proto https if { ssl_fc }
>   http-request set-header X-Forwarded-Ssl on if { ssl_fc }
>   http-request set-header X-Forwarded-Proto http if ! { ssl_fc }
>   http-request set-header X-Forwarded-Ssl off if ! { ssl_fc }
>
>   # Define hosts which need to redirect to HTTPS
>   acl need_ssl hdr(Host) -i iis.host.local
>
>   redirect scheme https if need_ssl ! { ssl_fc }
>
>   # Define backends and redirect correct hostnames
>   use_backend iis-backend if { hdr(Host) -i iis.host.local }
>
> backend iis-backend
>   fullconn 20
>
>   no option http-server-close
>   option httpchk GET / HTTP/1.0
>
>   server iis-stuff 2.3.4.5:80 cookie iis check inter 2000
>
>
> Regard,
>
> Sander
>
>

Reply via email to